问题
I am developping a native app that has to display the Office 365 groups the user is a member of. For this, I call the Microsoft Graph API wich requires authentication. I'm using the ADAL library.
The permissions needed require admin consent. Everything works fine for users from my tenant, but when I try to authenticate with an account of another tenant it doesn't work. It keeps giving this result :
Correlation ID: 9780ed24-9d24-4604-b8bf-28a02c2ea580
Timestamp: 2017-04-14 12:05:45Z
AADSTS70001: Application with identifier 'xxxxxxxx-xxx-xxx-xxxx-xxxxxxxxxxxx' was not found in the directory XXXXXXX.onmicrosoft.com
even if I use an admin account on first connection. I am never asked for consent and the app is not registered on the other tenant.
The app is registered as Native so it should be multi-tenant and I pass "/common" as the tenant in the authority.
I also tried to register an app with the same specifications on the other tenant, gave admin consent on the permissions and it worked as well.
Here is how I retrieve the access token :
private static string GetAccessToken()
{
AuthenticationContext authContext = new AuthenticationContext(authority);
AuthenticationResult authResult = authContext.AcquireToken(graphResource, clientID, redirectURI, PromptBehavior.RefreshSession);
var accessToken = authResult.AccessToken;
return accessToken;
}
Is it a problem within the code?The parameters? Do the other tenants need some 'special azure subscription' I'm not aware of?
In short : How do I get it to work for other tenants?
Edit : I tried to manually add the "prompt=admin_consent" to the request, like this :
AuthenticationResult authResult = authContext.AcquireToken(graphResource, clientID, redirectURI,PromptBehavior.RefreshSession, UserIdentifier.Any, "prompt=admin_consent");
But it triggers an error saying that there is a "Duplicate query parameter 'prompt' in extraQueryParameters"
回答1:
This is a known issue in the new Azure portal when registering native client applications.
These are currently (as of 2017-04-14) being created as single-tenant applications. Since the Azure portal doesn't expose the "multi-tenant" toggle for native client applications, you need to update the app manifest or use Azure AD PowerShell to do this.
Making an app multi-tenant from the manifest
In the Azure portal, from the settings blade for your native client application, click the Manifest option.
Update the
availableToOtherTenantsvalue totrue.Save the manifest.
Making an app multi-tenant with Azure AD PowerShell
- Download the Azure AD PowerShell v2 module (AzureAD): https://docs.microsoft.com/en-us/powershell/azure/install-adv2?view=azureadps-2.0
Run the following:
$appId = "<app ID>" $app = Get-AzureADApplication -Filter "appId eq '$appId'" Set-AzureADApplicatoin -ObjectId $app.ObjectId -AvailableToOtherTenants $true
That should patch it up. Wait a bit, then try again.
来源:https://stackoverflow.com/questions/43409454/how-can-i-use-my-azure-ad-app-from-another-tenant